I've been covering the vagaries of AppSec for the better part of a decade now. And in spite of all the evidence that has surfaced over the years that points to the application layer as one of the riskiest in the IT infrastructure, I've observed that most IT programs haven't matured their AppSec programs accordingly. The level of investment and attention to detail in enterprise application security is, on average, not commensurate with the risk. According to recent figures from SANS, about half of enterprises spend 10 percent or less of the overall IT budget on application...

Most successful, high-profile security incidents are caused by the failure of an information security program. In many cases, the exploitation of a vulnerability in an application is the root cause of major attacks. In recent years, the number of successful cyberattacks has been consistently increasing, and data breaches represent a large percentage of these offensives. More than one-third of security violations are carried out by exploiting applications as an attack vector, but organizations aren't assuming the proper security posture to prevent such attacks. The Risks of No Policy...

When securing your organization, there are a variety of strategies and technologies you can employ. You know that reducing risk means implementing a variety of security technologies that are interdependent and intertwined. This interdependency creates a security ecosystem, and like all ecosystems it must remain in balance in order to effectively secure the enterprise. Understanding how each security layer fits into this ecosystem can be difficult as vendors in each space have long decried that their layer is the most critical. However, each one is necessary to securing an organization. No...

As we know, creating an application security program can be a daunting task. Yet many companies have been successful by creating a plan for implementing a program that is broken up into manageable chunks. But once you’ve decided that you must implement an advanced program at your company, how do you know where to start? This checklist provides a practical guide for creating your application security strategy and getting started. You can use this guide to make sure you aren’t missing any steps as you start on your application security journey. View the Application Security Program...

The main hurdle that prohibits organizations from embarking on an advanced application security program is knowing where to start. But once you’ve figured out your starting point and your key metrics, and worked with groups in your enterprise to create a strategy, your program still isn’t guaranteed to be a success. There are a number of common hazards companies typically fail to consider when implementing their program. The three most common pitfalls to avoid if you want your program to succeed include: 1: Lack of policy enforcement 2: Lack of expertise on how to reduce risk 3:...

When it comes to application security in a workplace, one of the main challenges is due to the misconception that it's hard to implement and very difficult to maintain. This fallacy mainly derives from a lack of awareness regarding cyberthreats and the correct way to mitigate them. AppSec represents a challenge for any organization because in the majority of cases, internal personnel aren't trained on the threats, on cybersecurity best practices and on the proper response to a cyber incident. A common error consists of thinking application security is an expensive waste of time. For...

Application security is hardly the hottest topic around most water coolers. That hasn't stopped several app security myths from developing and spiraling out of control. Before one more person tells you that basic antivirus software can prevent all types of malicious hacking, drop everything you're doing and read this list of the top six AppSec myths. 1. It's too expensive. We've all heard this one before. Someone in the company knows that they should get nicer, more comprehensive security software tailored to the enterprise, but all that explosive growth means that funds have...

When it comes to answering the questions, what is application security, and how does it work?, misunderstandings abound. Why is application security so misunderstood? Perhaps it’s because vulnerabilities are an abstract concept that hasn’t been explored in depth in the media or in software development coursework. Perhaps it’s because for years, network security and endpoint security were sufficient tools for protecting your data. Or perhaps it’s because initial attempts at providing application security were not efficient or effective, creating a lasting impression...

Our mothers all want the best for us. They raised us to ensure we didn’t do anything crazy like run out in front of traffic or play with broken glass. More often than not, we had to ask for permission to do things like swim at our friend’s house or eat all of our Halloween candy in one sitting. Our moms then did their motherly duties of checking in with the swimming pool mother or telling us we can only eat one piece of candy. Moms protected us from ourselves. That’s just what they do. It’s in their contract to look after us until we come of age to make mistakes on...

In the grand scheme of an enterprise’s life, one year isn’t a long time. Especially when you are talking about designing, implementing, iterating and improving an application security program. But that is the amount of time one financial services company took to create and improve their application security program. Upon speaking with the project manager I was most struck by his pragmatism. When you are starting from scratch, you can’t expect to go from doing nothing to having an advanced program right away”, he told me. Here is his story, in his own words, of how he...